docling
PyPI8 known CVEs affecting this package
Aggregated from OSV, GitHub Security Advisories, NVD, and vendor advisories. Each CVE links to its full detail page with vendor advisories, patches, fixed versions, and remediation guidance.
CVEs affecting doclingpage 1 of 1
- CVE-2026-31247HIGHCVSS 7.5EG 7.52026-05-11
vulnerable: 0.1.0 ... 2.9.0 (137 versions)
Docling's JATS XML backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend uses etree.parse() to parse XML files without disabling entity resolution. An attacker can craft a malicious XML file containing a nest…
- CVE-2026-31248HIGHCVSS 7.5EG 7.52026-05-11
vulnerable: 0.1.0 ... 2.9.0 (137 versions)
Docling's METS GBS backend is vulnerable to XML Entity Expansion (XXE) attacks thru 2.61.0. The backend extracts and validates XML files from .tar.gz archives using etree.fromstring() without disabling entity resolution. An attacker can cr…
- CVE-2026-44016HIGHCVSS 8.2EG 8.2✓ Fixed in 2.91.02026-06-03
vulnerable: 2.82.0 ... 2.90.0 (9 versions)
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. FIn versions >= 2.82.0, < 2.91.0, if the HTML backend was explicitly configured for rendering (rendering option …
- CVE-2026-44017HIGHCVSS 7.5EG 7.5✓ Fixed in 2.91.02026-06-03
vulnerable: 0.1.0 ... 2.90.0 (171 versions)
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.91.0, the EasyOCR model download functionality extracted ZIP archives without validating member paths…
- CVE-2026-44018HIGHCVSS 7.1EG 7.1✓ Fixed in 2.91.02026-06-03
vulnerable: 2.45.0 ... 2.90.0 (55 versions)
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.45.0 until 2.91.0, the METS-GBS backend's XML parsing and the input document format detection lacked secu…
- CVE-2026-44020HIGHCVSS 7.5EG 7.5✓ Fixed in 2.74.02026-06-03
vulnerable: 2.13.0 ... 2.73.1 (84 versions)
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.13.0 until 2.74.0, the USPTO patent XML parser used the standard xml.sax.parseString() without protection…
- CVE-2026-44022MEDIUMCVSS 5.5EG 5.5✓ Fixed in 2.91.02026-06-03
vulnerable: 2.73.0 ... 2.90.0 (19 versions)
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. From 2.73.0 until 2.91.0, he LaTeX backend's handling of \includegraphics, \input, and \include commands lacked …
- CVE-2026-47214HIGHCVSS 7.1EG 7.1✓ Fixed in 2.94.02026-06-03
vulnerable: 0.1.0 ... 2.93.0 (174 versions)
Docling simplifies document processing by parsing diverse formats and providing integrations with the generative AI ecosystem. Prior to 2.94.0, the HTML backend has unsafe URI and path handling. This vulnerability is fixed in 2.94.0.
Check whether docling is used in your infrastructure
EchelonGraph scans your cloud and SBOMs to map every package to your actual deployments. See blast radius for docling CVEs against the assets you own.
Start Free Scan →